A Presentation on ONC’s Electronic Consent Management (ECM) Landscape Assessment
Joint Meeting of the HITSC TSSWG with the HITSC ASA WG, HITPC PSWG, Interoperability WG and Consumer WG
December 17, 2014Lucia Savage, ONC Chief Privacy Officer
2
Outline
• ONC Timeline Snapshot: History of Electronic Patient Consent • Electronic Management of Individual Permissions Environment• HIPAA: Permitted Uses and Disclosures• Interoperability Roadmap: Framing Consent/Patient Choice
Strategy• Consent Terminology• Why is Computational Privacy Important?• ONC’s Electronic Consent Management (ECM) Landscape
Assessment (conducted by MITRE)• Q&A and Open Discussion
3
ONC TIMELINE SNAPSHOT: History of Electronic Consent Management• September 2010: HITPC issues recommendations to ONC on Consent:
http://www.healthit.gov/facas/sites/faca/files/hitpc_transmittal_p_s_tt_9_1_10_0.pdf
• March 2012: ONC Program Instruction Notice (PIN), Privacy and Security Framework Requirements and Guidance for the State Health Information Exchange Cooperative Agreement Program: http://www.healthit.gov/sites/default/files/hie-interoperability/onc-hie-pin-003-final.pdf.
• October 2013: HITPC recommends that the HITSC should further consider technical methods for giving providers the capacity to comply with applicable patient authorization: http://www.healthit.gov/FACAS/sites/faca/files/HITPC_Transmittal_08212013.pdf
• May 2014 - October 2014: October 2013 recommendations led to ONC’s ECM landscape assessment conducted by MITRE
• TODAY
4
Laws, regulations, and policies for patient consent
Laws, regulations, and policies for sensitive information
Consent models (opt-in, opt-out, with restrictions, etc.)
HIO Architecture
EHR system interoperability
Consent directive (paper or electronic) or
Patient provides consent to sharesensitive health information and HIPAA Permitted Uses and Disclosures
Electronic Management of Individual Permissions Environment
5
HIPAA: Permitted Uses and Disclosures
HIPAA remains the constant:• Remember, HIPAA permits exchange of data
among Covered Entities without a written permission from the individual for Treatment, Payment, and Healthcare Operations (TPO), unless a more restrictive law applies.
• HIPAA supplies a “background rule” that operates if the individual never takes action to state a choice.
Interoperability Roadmap:Framing Consent/Patient Choice Strategy
6
Variation in rules about permission to access, use or disclose makes it difficult to build software systems that accurately capture, maintain, and persist this data. But we need software systems to capture and persist both
written individual directions and what is permitted without a written individual direction.
Consent Management
Computable PrivacyEvolving to
7
• Patient Consent– A patient’s decision to permit his/her health
information to be accessed and shared for treatment purposes; specifically, authorization (1) to participate in electronic health information exchange (Big Choice) and (2) to share sensitive health information (Granular Choice).
– Alternate terminology: patient preferences, authorization, meaningful choice, release of information (ROI)
• Privacy Consent Directive– An expression of a patient’s consent decision
regarding how personal health information is to be accessed and shared
– Expressed either in paper form or electronically as a technically implementable specification
Consent TerminologyDefinitions used in Assessment
8
• Consent Management (CM)– A system, process, or set of policies that enables patients to choose what
health information they are willing to permit their healthcare providers to access and share. It enables patients to participate in e-health initiatives and to establish privacy preferences to determine who can access protected health information (PHI), for what purpose, and under what circumstances. CM involves the dynamic creation, management, and enforcement of patient, organizational, and jurisdictional privacy directives.
• Electronic consent management (ECM)– CM done in a fully electronic manner, whereby patient consent decisions are
handled in an automated way by health information technology (IT) systems. Consent is able to control access to and sharing of health information.
Consent TerminologyDefinitions used in Assessment
9
• As more providers and health information organizations (HIOs) adopt electronic health records (EHRs) and other health IT, technology will play an increasing role in electronically capturing and maintaining patient permissions
• Health IT systems will need the ability to identify and persist patient decisions
• Technology will play an important role in communicating a patient’s decision related to sharing health information as well as handling sensitive health information
NOTE: Assessment was commissioned under name of “electronic consent management” but we know that’s too narrow of a view.
Why is Computational Privacy Important?
10
ONC’s Electronic Consent Management (ECM)Landscape Assessment(Conducted by MITRE)
11
• Scope– Patient consent to participate in HIE and to share sensitive health
information for treatment purposes
• Objectives– Conduct a landscape assessment of current CM practices– Determine how sensitive data is defined and maintained– Identify gaps in current technology and other challenges that may be
hindering the adoption of ECM– Provide a description of technologies and standards that can identify,
capture, track, manage, and transmit patient consent
• Inform ONC and Federal Advisory Committee Act (FACA) Work
Landscape Assessment Objectives
• 1 hour unstructured conversations with 25 diverse contributors– Health information organizations (HIOs)– Health IT developers/vendors– Healthcare Providers– Subject matter experts (SMEs) – patient advocacy organizations, attorneys
representing HIOs, and federal IT experts
12
Landscape Assessment Methodology
13
Landscape AssessmentPhases of CM Maturity
Phase I – Not Electronic Phase II – Partially Electronic Phase III – ECM
Future State• Electronic consent form• Structured data• Health IT interprets
electronic consent directives, applicable laws, regulations, & policies
• Granular choice
Current Growth• Paper and electronic
consent forms• Some structured data:
digital flags• No granularity; share all or
share none
Current State• Paper consent form• No structured data• Human must review
consent form• No granularity
Today Future
14
• Paper consent forms/PDFs do not facilitate ECM– Need for structured data in consent forms
• No existing best practice or model for electronically collecting or sharing consent information
• No consensus regarding the definition of sensitive information – Sensitive information defined by federal and state laws
• HIPAA provides a legal floor and states can, and do, enact more restrictive rules
• Both states and HIOs have different consent models
Landscape AssessmentFindings: Current State Key Issues
15
Landscape Assessment Key Findings: Gaps and Challenges
• No gaps; no need for new technologies or standards
• Challenges: (1) lack of structured data in consent forms and (2) interoperability
Technology
• Federal, state, local laws, regulations, & policies may conflict
• Conflicting consent models (opt-in, opt-out, or more granular consent options)
Compliance Complexity
• Concerns regarding patient-facing software to register and update consent
• Perceived as expensive and technically difficult
Identity and Access Management
• Significant financial investment to deploy and maintain health IT
• Smaller practices at resource disadvantage
Cost
• ECM requires providers to alter traditional workflows
• Both patients and providers may benefit from education to build trust
Workflow, Trust, and Education
• Concerns regarding 42 C.F.R. Part 2
• Many HIOs do not process Part 2 data
• State laws re: sensitive information
Policy Challenges
16
• Ability of electronic consent directives (both patient-directed and “background rules”) to be applied to existing health IT
• Fully automated ECM requires the use of numerous technology standards for transport, messaging, and vocabulary (already exists and in use)
• Leverage lessons learned from pilots that have demonstrated that existing technology standards can support ECM
• Track or identify some software solutions that already offer ECM capabilities
Potential Approach to Moving from Current State to Ideal Future State (Phase III - ECM)
CDA
header
body
Consent Directive
ADT XACML
17
Landscape Assessment Technology Standards Identified*
Transport Standards
XDR
XDM
XDS.b
Messaging and Language Standards
XML
HL7 v2 and v3
HL7 CDA
HL7 C-CDA
HL7 CCD
C32
XACML
SAML
Vocabulary Standards
LOINC
SNOMED CT
RxNorm
ICD-9 / ICD-10
*NOTE: These are the technology standards identified during the landscape assessment
18
Landscape Assessment Contributor Suggestions
Federal Consent Management Framework or Model (ONC, CMS, SAMHSA)• Consent: collection method, data elements, vocabularies, messaging standards, provenance
Standard Sensitive Information Consent Form
Centralized Services to store and manage consent• Master patient index; master provider index
Education• Informative videos and other media directed at patients and providers; dispel myths and confusion
Standard Identity and Access Management Solutions• Multi-factor authentication, personal appearance, more sophisticated authentication solutions
More Financial Incentives• Extend CMS EHR Incentive Program eligibility to clinical counselors and treatment facilities.
42 C.F.R. Part 2 Reform• Alter “to whom” requirements; align 42 C.F.R. Part 2 with HIPAA
19
• ECM is an important capability as patient health information becomes increasingly digitized
• ECM applies automated computer processing that interprets the patient’s electronic consent directive
• Although ECM faces challenges, pilots have demonstrated that existing technology standards can support ECM– Software developers are acknowledging the need for ECM
capabilities• A federally defined policy and technical model framework for
collecting and sharing patient consent for sensitive information in healthcare may be helpful
Landscape Assessment Summary
20
Q&A and Open Discussion